DOCSLIB.ORG

The Ray Attack on RSA Cryptosystems’, in R

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

The ray attack, an inefficient trial to break RSA cryptosystems

Andreas de Vries

FH S u ¨dwestfalen University of Applied Sciences, Haldener Straße 182, D-58095 Hagen

Abstract

The basic properties of RSA cryptosystems and some classical attacks on them are described. Derived from geometric properties of the Euler functions, the Euler function rays, a new ansatz to attack RSA cryptosystems is presented. A resulting, albeit inefficient, algorithm is given. It essentially consists of a loop with starting value determined by the Euler function ray and with step width given by a function ω (n) being a multiple of the

e

order ordn(e), where e denotes the public key exponent and n the RSA modulus. For

n = pq and an estimate r < pq for the smaller prime factor p, the running time is given

by T(e,n,r) = O((r p)lnelnnlnr).

Contents

12

  • Introduction
  • 1

  • RSA cryptosystem
  • 2

45
2.1 Properties of an RSA key system . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Classical RSA attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

  • 3
  • The Euler function ray attack
  • 7

3.1 The ω-function and the order of a number modulo n . . . . . . . . . . . . . . .
7

3.2 Properties of composed numbers n = pq  . . . . . . . . . . . . . . . . . . . . . 10 3.3 The algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

  • 4
  • Discussion
  • 15

  • 15
  • A Appendix

A.1 Euler’s Theorem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 A.2 The Carmichael function and Carmichael’s Theorem . . . . . . . . . . . . . . 16

1 Introduction

Since the revolutionary idea of asymmetric cryptosystems was born in the 1970’s, due to Diffie and Hellman [4] and Rivest, Shamir and Adleman [9], public key technology became an indispensable part of contemporary electronically based communication. Its applications range

This paper is a slight modification of [10]

e-Mail: [email protected]

1from authentication to digital signatures and are widely considered to be an essential of future applications for e-commerce.
The most popular cryptosystem is RSA. There has been numerous, more or less unsuccessful, attacks on RSA. The strongness of RSA bases on the difficulty to factorize integers as well as to compute the discrete logarithm. For more details, see e.g. [1, 2, 3, 6]; cf. also

http://www.math-it.org

2 RSA cryptosystem

The RSA cryptosystem, named after its inventors Ron Rivest, Adi Shamir, and Len Adleman (1978), was the first public key cryptosystem and is still the most important one. It is based on the dramatic difference between the ease of finding large prime numbers and computing modular powers on the one hand, and the difficulty of factorizing a product of large prime numbers as well as inverting the modular exponentiation.
Generally, in a public key system, each participant has both a public key and a private key, which is held secret. Each key is a piece of information. In the RSA cryptosystem, each key consists of a group of integers. The participants are traditionally called Alice and Bob, and we denote their public and secret keys as PA, SA for Alice and PB, SB for Bob. All participants create their own pair of public and private keys. Each keeps his private key secret, but can reveal his public key to anyone or can even publish it. It is very convenient that everyone’s public key is available in a public directory, so that any participant can easily obtain the public key of any other participant, just like we nowadays can get anyones phone number from a public phone book.
In the RSA cryptosystem, each participant creates his public and private keys with the following procedure.

1. Select at random two large prime numbers p and q, p = q. (The primes might be more than 200 digits each, i.e. more than 660 bits.)

2. Compute n = pq and the Carmichael function λ (n) = lcm(p−1,q−1).

3. Select an integer d relatively prime to λ (n). (d should be of the magnitude of n, i.e., d /

λ (n).)

4. Compute e as the multiplicative inverse of d modulo λ (n), such that ed = 1 mod λ (n).
This is done efficiently by the extended Euclidean algorithm.

5. Publish the pair P = (e,n) as the public key. 6. Keep secret the pair S = (d,n) as the private or secret key.

For this procedure, the domain of the messages is Z . For each participant of a cryptosystem,

n

the four-tuple (e,d, p,q) ∈ N4 is called (individual) RSA key system. The key parameter e is also called the encryption exponent, d the decryption exponent, and n the RSA modulus.

The encryption of a message m ∈ Z associated with a public key P = (e,n) is performed

n

by the function E : Z → Z ,

  • n
  • n

E(m) = me mod n.

(1)
2
The decryption of a ciphertext c ∈ Z associated with the private key S = (d,n) is done by the

n

mapping D : Z → Z ,

  • n
  • n

D(c) = cd mod n.

(2)
The procedure where Alice sends an encrypted message to Bob is schematically shown in Figure 1. A qualitatively new possibility offered by public key systems (and being unimple-

Figure 1: Alice sends an encrypted message m to Bob, using his public RSA key PB.

mentable with symmetric key systems) is the procedure of digital signature. How an RSA cryptosystem enables Alice to digitally sign a message and how Bob can verify that it is signed by Alice is sketched in Figure 2. As a matter of course, this verification in fact is possible only if the authenticity of Alice’s public key PA is guaranteed such that Bob can assume that it is her key (and not a third person’s one) which he uses. This guarantee is the job of so-called trust centers.

Figure 2: Alice sends a digitally signed message to Bob; Bob uses Alice’s public key to decrypt the message and to verify this way that Alice has signed it with her private key.

The correctness of RSA, i.e., the fact that E and D define inverse functions on Z (DE =

n

E D = idZ ) relies on the simple fact that

n

  • med = m mod n
  • for m ∈ Z ,

(3)

n

which is immediately proved by the corollary of Carmichael A.7, p. 18. For details see, e.g., [1, 2, 3].

3
Remark 2.1 Often one finds the definition of RSA cryptosystems based on the Euler function ϕ rather than on the Carmichael function λ , cf. [3]. However, since ϕ(pq) = (p− 1)(q− 1), both function values ϕ(pq) and λ (pq) share the same divisors. Therefore, a possible key parameter d relatively prime to λ (pq) is also relatively prime to ϕ(pq), and vice versa. Only the resulting counter key e may differ. To be more precise, any possible RSA key pair of a system based on the Euler function is a possible key pair with respect to the Carmichael function, whereas the reverse is not generally true. (Proof: Since λ (n)|ϕ(n), the equality ed = 1 mod ϕ(n) implies ed = 1 mod λ (n).) Using the Euler function ϕ, the correctness of RSA is shown with the Euler theorem A.2 on p. 16, instead of the corollary of Carmichael.

2.1 Properties of an RSA key system

Theorem 2.2 Let p, q ∈ N be two primes, p,q > 1, p = q. Then the number νpq of all possible key pairs (P,S) = ((e, pq),(d, pq)) is given by

ν

pq = ϕ(λ (pq)).

(4)

The (trivial) keys with e = d = 1 and with e = d = λ (pq)−1 are always possible, and
(p−1)(q−1)

2 < νpq

  • <
  • .

(5)

gcd(p−1,q−1)
Proof. Since ed = 1 mod λ (pq), without restriction to generality we have 0 < e,d < λ (pq). Moreover, gcd(d,λ (pq)) = gcd(e,λ (pq)) = 1, because for an arbitrary integer a with gcd(a, λ (pq)) > 1 there exists no b ∈ N such that ab = 1 mod λ (pq). Therefore, e,d ∈ Zλ (pq). In

turn, to any a ∈ Zλ (pq) there exists an integer b such that ab = 1 mod λ (pq), since Zλ(pq) is a group. But the order of Zλ (pq) is exactly ϕ(λ (pq)).
It is clear that 1 · 1 = 1 mod λ (n), so e = d = 1 are always possible as key parameters.

If e = d = λ (pq) − 1, we have ed = λ 2(pq) − 2λ (pq) + 1 = 1 mod λ (pq), so e and d are

always possible, too. By (47), λ (pq) is even and (by pq ≧ 6) greater than 2, so νpq > 2. The maximum number of elements on the other hand is λ (pq)−1.

The plot of all possible RSA key parameters (e,d) reveals general symmetries in the (e,d)- plane. First we observe that if P = (e,n), S = (d,n) is a possible RSA key pair, then trivially

also P= (d,n), S= (e,n) is possible, because ed = de = 1 mod λ (n). Furthermore, if ed = 1 mod λ (n) and 0 < e,d < λ (n)/2, then

  • e= λ (n)−e,
  • d= λ (n)−d

(6)

satisfy λ (n)/2 < e,d< λ (n) as well as ed= λ 2(n)−λ (n)(e+d)+ed = ed mod λ (n).
Therefore, P= (e,n) and S= (d,n) are possible RSA keys, too.

To sum up, all possible RSA key parameters (e,d), plotted in the square lattice [0,λ (n) −
1]2 ⊂ N2 with edges ranging from 0 to λ (n)−1, form a pattern which is symmetric to both the principal and the secondary square diagonals, see Figure 3. Thus, the region

U = {(e,d) ∈ [0,λ (n)−1]2 : 0 < d ≦ min(e,λ (n)−e)}

(7) contains all information to generate the rest of the square lattice by reflections at the main diagonal (d e) and at the secondary diagonal (6).

4

Figure 3: Plots of the possible RSA key parameter pairs (e,d) ∈ [0,λ (n) − 1]2 for different primes p and q, represented as points in the (e,d)-plane. For the first plot, p = 11 and q = 83, for the second one p = 19 and q = 131. The shaded region is U as given by (7).

2.2 Classical RSA attacks

There are several specific methods to break an RSA cryptosystem. The initial situation for an attack is that an eavesdropper knows the public key P = (e,n) and the encrypted message c. For details see, e.g., [1] and [2, §7].

2.2.1 Factorization of the RSA modulus n

If the eavesdropper succeeds in finding the factorization n = pq of n, knowing e he can easily compute d. But factorization of numbers n = pq with

p,q > 10200

(8)
(hence n > 10400, i.e., n has length more than about 1320 bits), is difficult with current technology, if p and q differ enough,

|pq| > 10100

.

(9)
Otherwise n can be factorized efficiently by exhaustive search of two integers n+ and n satis-

fying n = n2 n2 , beginning at n+ = ⌈ n⌉ and n = 0. These two integers then necessarily

+

  • p
  • q

obey n =

.

2

It can be proved that, knowing the public key (e,n), factorizing the RSA modulus n is as difficult as finding the secret key (d,n), see [2, §7.2.5].
Factorization is the most efficient known attack on RSA. The fastest known factorization method, the number field sieve of John Pollard in 1988, yields running times for a 10 GHz computer as given in Table 1.

2.2.2 Chosen-plaintext attack

The eavesdropper systematically encrypts all messages m with Bob’s public key PB until he achieves the ciphertext c. This attack is efficient if the set of messages m is small or if the

5

  • magnitude of the number bits
  • operations CPU time

n ≈ 1050 n ≈ 1075 n ≈ 10100 n ≈ 10200 n ≈ 10300

167 250 330 665

  • 1.4·1010
  • 14 seconds

  • 2.5 hours
  • 9·1012

2.3·1015 1.2·1023
26.6 days 3.8 mio years

  • 4.9·1012 years
  • 1000 1.5·1029

Table 1: CPU times for factorizing of numbers n on a 10 GHz computer.

message m is short.
“Pad” each message such that its size is of the magnitude of the modulus. Use “probabilistic encryption,” where a given plaintext is mapped onto several ciphertexts.
(10)

2.2.3 Chosen-ciphertext attack

There is a similar method, the chosen-ciphertext attack, which can be applied if Bob signs a document with his private key. The eavesdropper receiving the ciphertext c and wishing to find the decryption m = cd mod n chooses a random integer s and asks Bob to digitally sign the innocent-looking message c˜ = sec mod n. From his answer m˜ = c˜d it is easy to recover the

original message, because m = m˜ /s mod n.

Never sign unknown documents; before signing a document, always apply a one-way hash function to it.
(11)

2.2.4 Message iteration

Let be ci ∈ Z be iteratively defined as

n

  • c0 = m,
  • ci = cei−1 mod n
  • (i = 1,2,...).

i

In fact, ci = me mod n, and c1 = c is the ciphertext. The smallest index k with ck+1 = c1 is the

iteration exponent or period of m, cf. definition 3.3: it exactly shows (!) the original message,

ck = m.

Such a period k uniquely exists, it is the order of e modulo λ (n), k = ordλ (n)(e), cf. (15). Thus it divides λ (λ (n)) and ϕ(λ (n)). To avoid an efficient attack by iteration, λ (λ (n)) and the order of e with respect to λ (n) have to be large,

λ (λ (n)), ordλ (n)(e) > 10200

.

(12)
This condition is satisfied for so-called “doubly safe primes” p and q: A prime p is doubly safe, if both (p−1)/2 and (p−3)/4 are primes. For instance, 11, 23, 47, 167, 359 are doubly safe primes. A doubly safe prime p = 11 always has the form 24a−1, or p = −1 mod 24. For two doubly safe primes p, q, we have λ (pq) = 2 p−1 q−1, and therefore λ (λ (pq)) = lcm(2, p−3
,

  • 2
  • 2
  • 2

p−3 q−3

q−3) =

= (p−3)(q−3)/8.

1

  • 2
  • 2
  • 2
  • 2

6

2.2.5 Broadcast decryption by the low-exponent attack

In general, it may be convenient to use a small public key parameter e such that the encryption of a message is easy to compute (for instance for a small chip card). However, suppose Alice sends the same message to l different participants whose public keys are P = (e,ni) where

i

the ni’s are relatively prime to each other and l e; to emphasize, the public keys have the same encryption exponent e. If an eavesdropper receives the l ciphertexts ci = me mod ni, he can easily compute c= cimod n1 ···nl by the Chinese remainder theorem. But if the product

Recommended publications
  • Idempotent Factorizations of Square-Free Integers

    Idempotent Factorizations of Square-Free Integers

    information Article Idempotent Factorizations of Square-Free Integers Barry Fagin Department of Computer Science, US Air Force Academy, Colorado Springs, CO 80840, USA; [email protected]; Tel.: +1-719-333-7377 Received: 20 June 2019; Accepted: 3 July 2019; Published: 6 July 2019 Abstract: We explore the class of positive integers n that admit idempotent factorizations n = p¯q¯ such that l(n)¶(p¯ − 1)(q¯ − 1), where l is the Carmichael lambda function. Idempotent factorizations with p¯ and q¯ prime have received the most attention due to their cryptographic advantages, but there are an infinite number of n with idempotent factorizations containing composite p¯ and/or q¯. Idempotent factorizations are exactly those p¯ and q¯ that generate correctly functioning keys in the Rivest–Shamir–Adleman (RSA) 2-prime protocol with n as the modulus. While the resulting p¯ and q¯ have no cryptographic utility and therefore should never be employed in that capacity, idempotent factorizations warrant study in their own right as they live at the intersection of multiple hard problems in computer science and number theory. We present some analytical results here. We also demonstrate the existence of maximally idempotent integers, those n for which all bipartite factorizations are idempotent. We show how to construct them, and present preliminary results on their distribution. Keywords: cryptography; abstract algebra; Rivest–Shamir–Adleman (RSA); computer science education; cryptography education; number theory; factorization MSC: [2010] 11Axx 11T71 1. Introduction Certain square-free positive integers n can be factored into two numbers (p¯, q¯) such that l(n)¶ (p¯ − 1)(q¯ − 1), where l is the Carmichael lambda function.
  • Composite Numbers That Give Valid RSA Key Pairs for Any Coprime P

    Composite Numbers That Give Valid RSA Key Pairs for Any Coprime P

    information Article Composite Numbers That Give Valid RSA Key Pairs for Any Coprime p Barry Fagin ID Department of Computer Science, US Air Force Academy, Colorado Springs, CO 80840, USA; [email protected]; Tel.: +1-719-339-4514 Received: 13 August 2018; Accepted: 25 August 2018; Published: 28 August 2018 Abstract: RSA key pairs are normally generated from two large primes p and q. We consider what happens if they are generated from two integers s and r, where r is prime, but unbeknownst to the user, s is not. Under most circumstances, the correctness of encryption and decryption depends on the choice of the public and private exponents e and d. In some cases, specific (s, r) pairs can be found for which encryption and decryption will be correct for any (e, d) exponent pair. Certain s exist, however, for which encryption and decryption are correct for any odd prime r - s. We give necessary and sufficient conditions for s with this property. Keywords: cryptography; abstract algebra; RSA; computer science education; cryptography education MSC: [2010] 11Axx 11T71 1. Notation and Background Consider the RSA public-key cryptosystem and its operations of encryption and decryption [1]. Let (p, q) be primes, n = p ∗ q, f(n) = (p − 1)(q − 1) denote Euler’s totient function and (e, d) the ∗ Z encryption/decryption exponent pair chosen such that ed ≡ 1. Let n = Un be the group of units f(n) Z mod n, and let a 2 Un. Encryption and decryption operations are given by: (ae)d ≡ (aed) ≡ (a1) ≡ a mod n We consider the case of RSA encryption and decryption where at least one of (p, q) is a composite number s.
  • Arithmetic Properties of Φ(N)/Λ(N) and the Structure of the Multiplicative Group Modulo N

    Arithmetic Properties of Φ(N)/Λ(N) and the Structure of the Multiplicative Group Modulo N

    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by University of Missouri: MOspace Arithmetic Properties of '(n)/λ(n) and the Structure of the Multiplicative Group Modulo n William D. Banks Department of Mathematics, University of Missouri Columbia, MO 65211 USA [email protected] Florian Luca Instituto de Matem´aticas Universidad Nacional Aut´onoma de M´exico C.P. 58089, Morelia, Michoac´an, M´exico [email protected] Igor E. Shparlinski Department of Computing Macquarie University Sydney, NSW 2109, Australia [email protected] Abstract For a positive integer n, we let '(n) and λ(n) denote the Euler function and the Carmichael function, respectively. We define ξ(n) as the ratio '(n)/λ(n) and study various arithmetic properties of ξ(n). AMS-classification: 11A25 Keywords: Euler function, Carmichael function. 1 1 Introduction and Notation Let '(n) denote the Euler function, which is defined as usual by '(n) = #(Z=nZ)× = pν−1(p − 1); n ≥ 1: ν pYk n The Carmichael function λ(n) is defined for all n ≥ 1 as the largest order of any element in the multiplicative group (Z=nZ)×. More explicitly, for any prime power pν, one has pν−1(p − 1) if p ≥ 3 or ν ≤ 2; λ(pν) = 2ν−2 if p = 2 and ν ≥ 3; and for an arbitrary integer n ≥ 2, ν1 νk λ(n) = lcm λ(p1 ); : : : ; λ(pk ) ; ν1 νk where n = p1 : : : pk is the prime factorization of n. Clearly, λ(1) = 1. Despite their many similarities, the functions '(n) and λ(n) often exhibit remarkable differences in their arithmetic behavior, and a vast number of results about the growth rate and various arithmetical properties of '(n) and λ(n) have been obtained; see for example [4, 5, 7, 8, 9, 11, 15].
  • On Generalized Carmichael Numbers

    On Generalized Carmichael Numbers

    ON GENERALIZED CARMICHAEL NUMBERS YONGYI CHEN AND TAE KYU KIM Abstract. Given an integer k, define Ck as the set of integers n > max(k; 0) such that an−k+1 ≡ a (mod n) holds for all integers a. We establish various multiplicative properties of the elements in Ck and give a sufficient condition for the infinitude of Ck. Moreover, we prove that there are finitely many elements in Ck with one and two prime factors if and only if k > 0 and k is prime. In addition, if all but two prime factors of n 2 Ck are fixed, then there are finitely many elements in Ck, excluding certain infinite families of n. We also give conjectures about the growth rate of Ck with numerical evidence. We explore a similar question when both a and k are fixed and prove that for fixed integers a ≥ 2 and k, there are infinitely many integers n such that an−k ≡ 1 (mod n) if and only if (k; a) 6= (0; 2) by building off the work of Kiss and Phong. Finally, we discuss the multiplicative properties of positive integers n such that Carmichael function λ(n) divides n − k. 1. Introduction In 1860, Fermat proved that if p is a prime number, then p divides ap−1 − 1 for any integer a not divisible by p, a result now known as Fermat’s little theorem. An equivalent formulation is that whenever p is a prime number, p divides ap − a for all integers a. Fermat’s little theorem gives a test for prime numbers.
  • Handbook of Number Theory Ii

    Handbook of Number Theory Ii

    HANDBOOK OF NUMBER THEORY II by J. Sandor´ Babes¸-Bolyai University of Cluj Department of Mathematics and Computer Science Cluj-Napoca, Romania and B. Crstici formerly the Technical University of Timis¸oara Timis¸oara Romania KLUWER ACADEMIC PUBLISHERS DORDRECHT / BOSTON / LONDON A C.I.P. Catalogue record for this book is available from the Library of Congress. ISBN 1-4020-2546-7 (HB) ISBN 1-4020-2547-5 (e-book) Published by Kluwer Academic Publishers, P.O. Box 17, 3300 AA Dordrecht, The Netherlands. Sold and distributed in North, Central and South America by Kluwer Academic Publishers, 101 Philip Drive, Norwell, MA 02061, U.S.A. In all other countries, sold and distributed by Kluwer Academic Publishers, P.O. Box 322, 3300 AH Dordrecht, The Netherlands. Printed on acid-free paper All Rights Reserved C 2004 Kluwer Academic Publishers No part of this work may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, microfilming, recording or otherwise, without written permission from the Publisher, with the exception of any material supplied specifically for the purpose of being entered and executed on a computer system, for exclusive use by the purchaser of the work. Printed in the Netherlands. Contents PREFACE 7 BASIC SYMBOLS 9 BASIC NOTATIONS 10 1 PERFECT NUMBERS: OLD AND NEW ISSUES; PERSPECTIVES 15 1.1 Introduction .............................. 15 1.2 Some historical facts ......................... 16 1.3 Even perfect numbers ......................... 20 1.4 Odd perfect numbers ......................... 23 1.5 Perfect, multiperfect and multiply perfect numbers ......... 32 1.6 Quasiperfect, almost perfect, and pseudoperfect numbers ...............................
  • A NEW ALGORITHM for CONSTRUCTING LARGE CARMICHAEL NUMBERS 1. Introduction a Commonly Used Method to Decide Whether a Given Numbe

    A NEW ALGORITHM for CONSTRUCTING LARGE CARMICHAEL NUMBERS 1. Introduction a Commonly Used Method to Decide Whether a Given Numbe

    MATHEMATICS OF COMPUTATION Volume 65, Number 214 April 1996, Pages 823–836 ANEWALGORITHM FOR CONSTRUCTING LARGE CARMICHAEL NUMBERS GUNTER¨ LOH¨ AND WOLFGANG NIEBUHR Abstract. We describe an algorithm for constructing Carmichael numbers N with a large number of prime factors p1,p2,...,pk. This algorithm starts with a given number Λ = lcm(p1 1,p2 1,...,pk 1), representing the value of the Carmichael function λ(−N). We− found Carmichael− numbers with up to 1101518 factors. 1. Introduction A commonly used method to decide whether a given number N is composite is the following easily practicable test: Take some number a with gcd(a, N)=1and N 1 compute b a − mod N.Ifb=1,ourN is composite. Unfortunately, if we get b = 1 we cannot← be sure that N 6is prime, even though this is true in many cases. AcompositenumberNwhich yields b = 1 is called a pseudoprime to the base a.IfsomeNyields b =1forallbasesawith gcd(a, N)=1,thisNis called an absolute pseudoprime or a Carmichael number. These numbers were first described by Robert D. Carmichael in 1910 [3]. The term Carmichael number was introduced by Beeger [2] in 1950. The smallest number of this kind is N =3 11 17 = 561. Studying the properties of absolute pseudoprimes, Carmichael defined· · a function λ(N) as follows: λ(2h)=ϕ(2h)forh=0,1,2, 1 λ(2h)= ϕ(2h)forh>2, 2 λ(qh)=ϕ(qh)forprimesq>2, h1 h2 hr h1 h2 hr λ(q q q )=lcm(λ(q ),λ(q ),...,λ(q )) for distinct primes qj , 1 2 ··· r 1 2 r where ϕ denotes Euler’s totient function.
  • Topics in Primitive Roots N

    Topics in Primitive Roots N

    Topics In Primitive Roots N. A. Carella Abstract: This monograph considers a few topics in the theory of primitive roots modulo a prime p≥ 2. A few estimates of the least primitive roots g(p) and the least prime primitive roots g *(p) modulo p, a large prime, are determined. One of the estimate here seems to sharpen the Burgess estimate g(p)≪p 1/4+ϵ for arbitrarily small number ϵ> 0, to the smaller estimate g(p)≪p 5/loglogp uniformly for all large primes p⩾ 2. The expected order of magnitude is g(p)≪(logp) c, c> 1 constant. The corre- sponding estimates for least prime primitive roots g*(p) are slightly higher. The last topics deal with Artin conjecture and its generalization to the set of integers. Some effective lower bounds such as {p⩽x : ord(g)=p-1}≫x(logx) -1 for the number of primes p⩽x with a fixed primitive root g≠±1,b 2 for all large number x⩾ 1 will be provided. The current results in the literature have the lower bound {p⩽x : ord(g)=p-1}≫x(logx) -2, and have restrictions on the minimal number of fixed integers to three or more. Mathematics Subject Classifications: Primary 11A07, Secondary 11Y16, 11M26. Keywords: Prime number; Primitive root; Least primitive root; Prime primitive root; Artin primitive root conjecture; Cyclic group. Copyright 2015 ii Table Of Contents 1. Introduction 1.1. Least Primitive Roots 1.2. Least Prime Primitive Roots 1.3. Subsets of Primes with a Fixed Primitive Roots 1.4.
  • Arxiv:1902.10672V2 [Math.NT] 12 May 2021 Ai Yfra’ Itetheorem

    Arxiv:1902.10672V2 [Math.NT] 12 May 2021 Ai Yfra’ Itetheorem

    ON CARMICHAEL AND POLYGONAL NUMBERS, BERNOULLI POLYNOMIALS, AND SUMS OF BASE-P DIGITS BERND C. KELLNER AND JONATHAN SONDOW Abstract. We give a new characterization of the set of Car- michael numbers in the context of p-adic theory, independentlyC of the classical results of Korselt and Carmichael. The characteriza- tion originates from a surprising link to the denominators of the Bernoulli polynomials via the sum-of-base-p-digits function. More precisely, we show that such a denominator obeys a triple-product identity, where one factor is connected with a p-adically defined subset of the squarefree integers that contains . This leads to the definitionS of a new subset ′ of , called the “primaryC Carmichael numbers”. Subsequently, weC establishC that every Carmichael num- ber equals an explicitly determined polygonal number. Finally, the set is covered by modular subsets d (d 1) that are related to S S ≥ the Kn¨odel numbers, where = 1 is a special case. C S 1. Introduction A composite positive integer m is called a Carmichael number if the congruence am−1 1 (mod m) (1.1) ≡ holds for all integers a coprime to m (see [11, Sec. A13], [24, Chap. 2, Sec. IX]). Clearly, if m were a prime, then this congruence would be valid by Fermat’s little theorem. arXiv:1902.10672v2 [math.NT] 12 May 2021 Let “number” mean “positive integer” unless otherwise specified, and let p always denote a prime. A first result on Carmichael numbers is the following criterion (for a proof, see [6] or [8, p. 134]). Theorem 1.1 (Korselt’s criterion [20] (1899)).
  • Asymptotics for Primitive Roots Producing Polynomials and Primitive Points on Elliptic Curves

    Asymptotics for Primitive Roots Producing Polynomials and Primitive Points on Elliptic Curves

    Asymptotics For Primitive Roots Producing Polynomials And Primitive Points On Elliptic Curves N. A. Carella 1 arXiv:1609.01147v3 [math.GM] 19 Jun 2017 1Copyright 2017 Abstract Let x ≥ 1 be a large number, let f(n) 2 Z[x] be a prime producing polynomial of degree deg(f) = m, and let u 6= ±1; v2 be a fixed integer. Assuming the Bateman- Horn conjecture, an asymptotic counting function for the number of primes p = f(n) ≤ x with a fixed primitive root u is derived in this note. This asymptotic result has the form 1=m πf (x) = #fp = f(n) ≤ x : ordp(u) = p − 1g = (c(u; f) + O (1= log x))) x = log x , where c(u; f) is a constant depending on the polynomial and the fixed integer. Furthermore, new results for the asymptotic order of elliptic primes with respect to fixed elliptic curves E : f(X; Y ) = 0 and its groups of Fp-rational points E(Fp), and primitive points are proved in the last chapters. Mathematics Subject Classifications: Primary 11A07, 11G07; Secondary 11N37; 11N32; and 11B83. Keywords: Primitive Root; Prime Values of Polynomial. Primitive Root Producing Polynomial; Primitive Point; Elliptic Curve. i ii Chapter 0. Abstract Contents Abstract i 1 Introduction 1 1.1 Primitive Root Producing Polynomials . 1 1.2 Elliptic Primitive Points . 2 2 Primes Values of Polynomials 5 2.1 Definitions And Notation . 5 2.2 Polynomials Of One Variable . 5 2.3 Quadratic Polynomials . 7 2.4 Cubic Polynomials . 7 2.5 Quartic Polynomials . 8 2.6 Extreme Densities . 9 2.7 Problems .
  • [Math.NT] 14 Sep 2004 Noncototients and Nonaliquots

    [Math.NT] 14 Sep 2004 Noncototients and Nonaliquots

    Noncototients and Nonaliquots William D. Banks Department of Mathematics, University of Missouri Columbia, MO 65211, USA [email protected] Florian Luca Instituto de Matem´aticas Universidad Nacional Aut´onoma de M´exico C.P. 58180, Morelia, Michoac´an, M´exico [email protected] October 22, 2018 Abstract Let ϕ( ) and σ( ) denote the Euler function and the sum of divisors · · function, respectively. In this paper, we give a lower bound for the number of positive integers m x for which the equation m = n ϕ(n) ≤ − has no solution. We also give a lower bound for the number of m x ≤ for which the equation m = σ(n) n has no solution. Finally, we show − the set of positive integers m not of the form (p 1)/2 ϕ(p 1) for − − − some prime number p has a positive lower asymptotic density. arXiv:math/0409231v1 [math.NT] 14 Sep 2004 1 1 Introduction Let ϕ( ) denote the Euler function, whose value at the positive integer n is · 1 ϕ(n)= n 1 . − p p n Y| An integer of the form ϕ(n) is called a totient;a cototient is an integer in the image of the function f (n)= n ϕ(n). If m is a positive integer for which c − the equation fc(n)= m has no solution, then m is called a noncototient. An old conjecture of Erd˝os and Sierpi´nski (see B36 in [7]) asserts the existence of infinitely many noncototients. This conjecture has been settled by Browkin and Schinzel [1], who showed that if w 3 is an odd integer satisfying certain arithmetic properties, then m = 2ℓw≥is a noncototient for every positive integer ℓ; they also showed that the integer w = 509203 is one such integer.
  • Arxiv:2007.10044V2 [Quant-Ph] 9 Dec 2020 Algorithms for Reducing Perfect Powers Z = Q to Q: a Simple Option Is to Test If Z Is an Integer for Some D ∈ [2, Blog Zc]

    Arxiv:2007.10044V2 [Quant-Ph] 9 Dec 2020 Algorithms for Reducing Perfect Powers Z = Q to Q: a Simple Option Is to Test If Z Is an Integer for Some D ∈ [2, Blog Zc]

    On completely factoring any integer efficiently in a single run of an order finding algorithm Martin Eker˚a1,2 1KTH Royal Institute of Technology, Stockholm, Sweden 2Swedish NCSA, Swedish Armed Forces, Stockholm, Sweden December 10, 2020 Abstract We show that given the order of a single element selected uniformly at random from ∗ ZN , we can with very high probability, and for any integer N, efficiently find the complete factorization of N in polynomial time. This implies that a single run of the quantum part of Shor's factoring algorithm is usually sufficient. All prime factors of N can then be recovered with negligible computational cost in a classical post-processing step. The classical algorithm required for this step is essentially due to Miller. 1 Introduction In what follows, let n Y ei N = pi i = 1 be an m bit integer, with n ≥ 2 distinct prime factors pi, for ei some positive exponents. Let an algorithm be said to factor N if it computes a non-trivial factor of N, and to completely factor N if it computes the set fp1; : : : ; png. Let φ be Euler's totient function, λ be 0 ∗ the Carmichael function, and λ (N) = lcm(p1 − 1; : : : ; pn − 1). Furthermore, let ZN denote the multiplicative group of ZN , the ring of integers modulo N, and let ln and log be the natural and base two logarithms, respectively. Denote by [a; b] the integers from a up to an including b. Throughout this paper, we shall assume N to be odd for proof-technical reasons. This does not imply a loss of generality: It is easy to fulfill this requirement by using trial division.

  • Values of the Euler and Carmichael Functions Which Are Sums of Three Squares

    INTEGERS: ELECTRONIC JOURNAL OF COMBINATORIAL NUMBER THEORY x (200x), #Axx VALUES OF THE EULER AND CARMICHAEL FUNCTIONS WHICH ARE SUMS OF THREE SQUARES Paul Pollack1 Department of Mathematics, University of Illinois, Urbana, Illinois 61801, USA [email protected] Received: , Revised: , Accepted: , Published: Abstract Let ' denote Euler's totient function. The frequency with which '(n) is a perfect square has been investigated by Banks, Friedlander, Pomerance, and Shparlinski, while the frequency with which '(n) is a sum of two squares has been studied by Banks, Luca, Saidak, and Shparlinski. Here we look at the corresponding three-squares question. We show that '(n) is a sum of three squares precisely seven-eighths of the time. We also investigate the analogous problem with ' replaced by Carmichael's λ-function. We prove that the set of n for which λ(n) is a sum of three squares has lower density > 0 and upper density < 1. 1. Introduction Let '(n) denote Euler's totient function, defined as the size of the unit group (Z=nZ)×.A theorem of Banks et al. [2, pp. 40, 43] asserts that for any > 0 and all large x, x x0:7038 ≤ #fn ≤ x : '(n) = g ≤ ; (1) L(x)1− where L(x) = exp(plog x log log log x): 2 We write \" here and below to denote a generic member of the set fn : n = 0; 1; 2; 3;::: g of perfect squares. The same authors present a heuristic argument that the left-hand side of (1) can be replaced with x1−. An investigation into the corresponding question for sums of two squares appeared the following year, where it was shown [4, p.